xworm | 30beca0bcbc02bf77acdfdd698f38068699b06106aba6a05bdf83cab12572b64

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

munchenclient.exe
Size

7.1MB
MD5

84236243dcb77d4936dd6654575b1f6b
SHA1

4f0629caaed54ed3e5a73a1c88dec0c8a42d654e
SHA256

30beca0bcbc02bf77acdfdd698f38068699b06106aba6a05bdf83cab12572b64
SHA512

2838e47dde2e7fbe96d966de46491aa9955bd5bcbb567de474de71ab556dfa5335f796df6ec029d4d6b9e25c4be6e7a73d47552f1d1402859509827303c9eb7b
SSDEEP

196608:Pii9mneDatAEYUpkkAq0YmUjp5NHNpYUxx44:bAnmI/kk3mUjp59Nx

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

uIevzGILIGd901ZV

Attributes

Install_directory
%AppData%
install_file
OneDrive Updater.exe
telegram
https://api.telegram.org/bot6813820189:AAEnLy9XOrfoO1MDfwUwZrxxour8yypLOhE

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001878c-8.dat	family_xworm
behavioral1/memory/2396-40-0x00000000008F0000-0x0000000000918000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
2656	powershell.exe
2060	powershell.exe
1996	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2228	groyper.exe
2396	OneDrive.exe
2804	groyper.exe
1076	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
3044	munchenclient.exe
3044	munchenclient.exe
2228	groyper.exe
2804	groyper.exe
1076	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive Updater = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive Updater.exe"	OneDrive.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019627-38.dat	upx
behavioral1/memory/2804-39-0x000007FEF3FE0000-0x000007FEF45C8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	munchenclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1912	powershell.exe
2568	powershell.exe
2656	powershell.exe
2060	powershell.exe
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2396	OneDrive.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1912	3044	munchenclient.exe	30
PID 3044 wrote to memory of 1912	3044	munchenclient.exe	30
PID 3044 wrote to memory of 1912	3044	munchenclient.exe	30
PID 3044 wrote to memory of 1912	3044	munchenclient.exe	30
PID 3044 wrote to memory of 2228	3044	munchenclient.exe	32
PID 3044 wrote to memory of 2228	3044	munchenclient.exe	32
PID 3044 wrote to memory of 2228	3044	munchenclient.exe	32
PID 3044 wrote to memory of 2228	3044	munchenclient.exe	32
PID 3044 wrote to memory of 2396	3044	munchenclient.exe	33
PID 3044 wrote to memory of 2396	3044	munchenclient.exe	33
PID 3044 wrote to memory of 2396	3044	munchenclient.exe	33
PID 3044 wrote to memory of 2396	3044	munchenclient.exe	33
PID 2228 wrote to memory of 2804	2228	groyper.exe	34
PID 2228 wrote to memory of 2804	2228	groyper.exe	34
PID 2228 wrote to memory of 2804	2228	groyper.exe	34
PID 2396 wrote to memory of 2568	2396	OneDrive.exe	35
PID 2396 wrote to memory of 2568	2396	OneDrive.exe	35
PID 2396 wrote to memory of 2568	2396	OneDrive.exe	35
PID 2396 wrote to memory of 2656	2396	OneDrive.exe	38
PID 2396 wrote to memory of 2656	2396	OneDrive.exe	38
PID 2396 wrote to memory of 2656	2396	OneDrive.exe	38
PID 2396 wrote to memory of 2060	2396	OneDrive.exe	40
PID 2396 wrote to memory of 2060	2396	OneDrive.exe	40
PID 2396 wrote to memory of 2060	2396	OneDrive.exe	40
PID 2396 wrote to memory of 1996	2396	OneDrive.exe	42
PID 2396 wrote to memory of 1996	2396	OneDrive.exe	42
PID 2396 wrote to memory of 1996	2396	OneDrive.exe	42
PID 2396 wrote to memory of 2452	2396	OneDrive.exe	44
PID 2396 wrote to memory of 2452	2396	OneDrive.exe	44
PID 2396 wrote to memory of 2452	2396	OneDrive.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\munchenclient.exe
"C:\Users\Admin\AppData\Local\Temp\munchenclient.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAcwBpACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\groyper.exe
  "C:\Users\Admin\AppData\Local\Temp\groyper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\groyper.exe
    "C:\Users\Admin\AppData\Local\Temp\groyper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2804
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive Updater.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive Updater.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive Updater" /tr "C:\Users\Admin\AppData\Roaming\OneDrive Updater.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {741F6DD0-9986-47F0-89EC-8136C87DF082} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DLCWH7GR7IMJZNXT0721.temp

Filesize
7KB

MD5
e31030108586dfe6b191b7232cee4e20

SHA1
1ba85f136c487160893c3d3f3d875d75d9976114

SHA256
4aad451f501ae71280e1fb4972c3c8da48921c1a5577029093d10cf36bcf8869

SHA512
8a111b3fd615a657b53bf8784c67baa60c081399231012c03061f1a6d2f7ca16c7c015354d9d5a66f1501936cef32f75e44590888ce427c402ec7efb3eb7e56e

Download Submit
\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
141KB

MD5
b8cfd486ae90e2bcfbae6ef42baa7fff

SHA1
34dd61af2e3ed15223d0ad0e4a7e4719cb080f81

SHA256
acec8c3dc9a857c90f66e75c5da50f6473903896de5810762c0342a45b2b4925

SHA512
a2327843295161b110d32ae7eb39f242f8de6f09518891a4a4b3daa2cbae4e45b2b36425f0621894e66fed947516fa5c640e89fa3d94db00edab9a3fe7f4aa60

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22282\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
\Users\Admin\AppData\Local\Temp\groyper.exe

Filesize
6.9MB

MD5
5583b323b1df8c930da5f591e4726d51

SHA1
e52dc8038af6801d40417e556536c000b8cf7590

SHA256
32d4e7271a3e169796115785d47ddd5aefaebd551cbc8a151ea5d4d3d70619d6

SHA512
2b4819ae0a001f41e015692785d77b933f5c0b575663286642b44b0507f9b3c5060dc59e20a16a9843aa88c6442e76642847a5733c0e4af6dd2ef4518b5b56dc

Download Submit
memory/2396-40-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/2568-46-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2568-45-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2656-52-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2656-53-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2804-39-0x000007FEF3FE0000-0x000007FEF45C8000-memory.dmp

Filesize
5.9MB

Download